SMS E2E Encryption and Tunneling

encryption technology is always a control technology whereby if a certain algorithm has been developed in the viewers they cannot export it to countries like in Iran okay even when they develop it even when they are teaching people in the U.S on various forms of cryptography if you are from a country that they do not export that technology to you might be taken out of the class until that lesson is over you might be denied the knowledge so that is what we mean by controlled uh technology now depending on the country's technology export controls yes that is what I've said and by the way when it comes to these are just Advocate but what by the technology is that when you send a message when a company sells cryptography to a certain country for example it's the U.S they sell uh cellular technology to Africa to countries like in Kenya they always sell something that is very secure secure enough for you to be private for your communication to be private amongst each other but weak enough for them to be able to access it or to interview to interfere with on demand okay that is the whole purpose of it so that is what you mean and when it comes to the technology when it comes to and what I'm focusing here is on the encryption part of it the encryption of the when it comes to SMS encryption records the parties text algebra as I've said it gives lots of your text your metadata your communication and the metadata and the communication metadata is when you communicated who you communicated with and how frequently you communicated it's not clear now when they return your text they can return it they can turn it over to the authorities based on court court court orders but we remember that countries legal systems are always dependent on the regime of the day okay so as technology improves laws can only change laws can either get to us or better but technology always improves its time so this is an example here of a text an article from Texas a Texas document in the U.S where the cellular service provider can maintain your communication and text communication for three to five days as you can see this is Virgin Mobile and this is an article that I picked up recently so that means that by law they can intercept you they have their data they have a columns they have sms's it's only a policy that they have give technical impact will keep your records for this amount of time if you have not been subpoenaed to give the rate to hand over the records to the authorities then they can delete it but remember when it comes to service providers the funny thing about service providers is that if you have the terms and conditions I can give you terms and commissions and tell you that this service cannot be shared by anybody else but that is just a Temple Mount agreement even if it's written remember Facebook about complete analytica they had us a privacy agreement right but the data was shared by external parties who will be able to analyze the data so when it comes to policies you cannot trust policies that much that is when it comes to Technologies you try uh you try to resolve things where policies cannot apply okay or where policies paid and by then what what I believe is that the law uh when it comes to technology the technology can be absolute or can not not absolute but um what do I mean I'm trying to figure out okay this is safaricom this is safaricom's policy on their profile they can legally keep your data okay that is what that is the agreement once you purchase a rent from safaricom and use it they legally hold you know for your call data phones your call logs and your messages okay that is legal that is a Biden agreement between you and safaricom now you can see that that is private they are not supposed to share it but if they decided to share it and using they say that they were subpoenaed by the by legal authorities what you want to do okay you cannot do much so when it comes to technology the good thing about technology is that where the the problem is that if technology fails if people fail to provide a technical solution a greater law okay that is where you have in the religions we have the Bible the Commandments Quran with Sylvia says don't do this don't do that isn't it so you're told that don't do this because they're repercussions that is a law and that is supposed to keep you in line in check if by default other methods of Faith okay or the technology things so when it comes to SMS security as you can see I've described this I described earlier it goes from the BTS the security is from the BTS which is those antennas usable repeaters the repeater that you see in your device that is where that encryption works okay foreign Network that text can be plaintiffs have you ever seen the stories about ss7 being intercepted foreign Network and what I've said is that SMS is generally uh or GSM security or encryption GSM encryption is not end to end okay end-to-end adjustments if I'm talking to Baraza if I'm passing a note between myself and my brother through somebody here or intermediary it's only Baraza and I will load the key okay how we are going to share our communication but in safaricom it's safaricom is intermediary for example safaricom is this label the disability that we decide what secret methods you're going to use can you say that now that means that she can have access to a communication when she wants so now the current form of the current form of uh SMS Technologies for the current form of how the GSM works when you send an SMS you start by you create a text right from your phone then the device the SIM card and creates that SMS using the accession key and then it sends it it sends the encrypted text the encrypted data over to the network okay and when it when it's in that Network here that Network the SMS is usually in plain text they can decide to encrypt it within the network but since they have the key it doesn't really matter so yeah if they if I have the key to how you guys are communicating even if I set it as encrypted I can still delete it when I want to and then once it's set over the network other processors work like checking whether you have credit whether whether the line is valid and everything else it sense you know an encrypted message from there BTS to Alice now Alice what will happen is that now Alice will agree today message the SIM card using her session key we decrypt the message and retrieve the SMS and then read it okay that's a very generalized example of how it takes msms process what okay now when it comes to the purpose issues that we've noted is that and some of these issues when I was researching on them I was one of the people that greatly contributed to the my understanding and being able to find some of the challenges and being able to work around some of the challenges is Chris Christmas come over there that day when you're gonna deposition [Music] he's a big letter guy and he has helped me a lot so as you can see what I've said is that the SMS are not educated [Music] let's see okay now this GSM sniffing and Jason sneaking doing one of our presents are one of the previous abilities in h Africa how come from the presentation there was one way in which people could be able to sleep the GSM packets and the capital was there isn't it uh I think uh true there the person that presented how you will be able to create an Interceptor or you can be able to Spook a GSM network or somebody called that was the first number that I saw but on various videos there were examples of how you could be able to sniff the GSM packets and using one terabyte of keys just one terabyte you could be able to crack any communication anywhere so if um intercepting communication to that with yes and then I collect enough of that information and then I try to crack it using one TB of keys I could be able to crack them on their conversations and apart from that there is interception in terms of business and isn't it well again when you gain access to the internet when you gain access to the network and you get the key for that particular Network you can be able to listen to or intercept any communication that is necessary now assuming the communication is encrypted because encrypted and the SMS is encrypted what you can leverage on is the metadata right because the metadata for example if I'm looking at these two people what's her name foreign yes it was yeah just I'm using an example what's your name yes speak up in order now okay assuming this is what is happening here Benson and Jennifer are talking right I'm looking at them I cannot see what they're saying send you but I know they are talking they're communicating and what and they're communicating isn't it and if I follow them if I watch them remotely I can be able to build a profile on how long they have been communicating how frequently they're communicate and that is the ability of that is one of the abilities of btsm providers they can be able to use specific algorithms or machine learning algorithms or data mining algorithms to build a profile your network profile and what the what that was done was by me and my my master supervisor back in 2012 we developed an algorithm that could be able to use the GSM data to build a network profile for example if I wanted to know who Barraza who's baraza's network in terms of who are his colleagues who are colleagues who does he like hanging out with who is his family I can build a profile of that on the data from safaricom based on the geo location his location and the people he communicates with these are algorithm that you can be able to develop that I developed that was able to do that and it's a simple one it's not that difficult and that was one of the issues that we identified and which acted as the premise for Made In This research so now when it comes to encryption and telling this is now where the solution comes into play and encryption and telling there are two things that work first of all is the encryption of their synthesis right we don't want your sms's being intercepted even if they intercepted you don't want them to be legible to the people that are interested in it isn't it that is the first part the second part is that if I want to communicate with you and I do not want the service providers to know that we are communicating they we need to find a way that we can be able to for me I could be able to send a message to you through a caveat Channel and that channel will forward the message to you and when it comes to the network you cannot chat and normally when it comes to tanning that is what usually happens isn't it see when using VPN if you want to music Facebook uh if there is a system I'm doing Mahalia makeup or safaricom and they are looking at your internet traffic and using a VPN to visit Facebook they cannot tell you this is Facebook isn't it now for sms's it can work that same approach can work for sms's so that is the first thing in terms of turning turning is just using a different channel to communicate okay so that you can so that you can prevent interception or you can prevent analysis for interception and they are access data that is encryption the solution is inclusion to prevent that but to prevent the analysis of your conversations you can use channeling and it's not that difficult the solution is not that difficult I'm going to demonstrate it here so using a semester the solutions that are that I've worked on here uh tries to do that for SMS communication and this is the first approach and it does complete steps the first one is just the enclosure and encrypted expresses and then they send it to me delivery okay and when it comes to encrypting and submissions and send it to you yes that SMS can be intercepted but it will not be applicable so the first one is you have the SMS you write to SMS then the app the app that you're using encrypts that SMS then it will encrypt the oldest thing before the service is sent by the device it's supposed to be encrypted using the session isn't it in the previous example which is sent over to the BTS now these guys even if they have that SMS that you sent it's not legible to them because the key that you have it's only accessible to you and Alice okay and I'm going to explain how it works how the Education Works because if you encrypt you will encrypt something you need to find a way to share things secretly isn't it so The Next Step the key this is a sense over to Alice it is decrypted using the the private the session key for the SIM card and then now the app will complete we'll get the SMS we click it and give the uh plain text SMS so from here anything going here will be included in a way that the GSM provider cannot be able to yeah so the next one is yeah the next step or the next uh way of encrypting it is using now a GSM Gateway for example if I want to send a message to Baraza I can send a message with the routing information that for the business report this message to Baraza to a gateway called what's her name okay so I sent an SMS to penina with routine information it's encrypted with penina's public key so Marina using her private key will deplete the message and say they see that there is an encrypted message but with root information saying foreign once it switches what will happen is that my brother will decorate the message using his private key and he'll see that there's a message but this the message says that this is the message and this is so in the SMS the before the semester the message will appear that has come from safaricom knows that the message came from company isn't it but it's only by raza's from the app that recruited the message knows that it came from me okay and that is how it works now this is the approach you click the message you encrypt it you send it to uh you will send it to an SMS schedule and then they said they said text will be required to that SMS lettering the SMS schedule is decrypt as you can see add T just means the routing information okay to form it so once it switches how investigated this uh the SMS gateway the SMS gate will take out that information and forward the text the included text [Music] Alice will know that this text came from Baraza okay and the way this text will be located will be that the message has been encrypted in two weeks has been encapsulated the first the first SMS was encrypted using Palace public key and then the second encapsulated message that encapsulates the person for routing and constituency these gateways public key so that once the message comes to this uh the Gateway the message will be decrypted by its own print here and you remember PKA infrastructure ensures that you can be able to send the keys isn't it for the public private conclusion but I'm not sure how you can be able to improve this message and this is working in terms of data communication so once it's sent it towards it if safaricom wants to analyze the data safaricom will notice above sent a message to the Gateway that's it and they'll see that the message came from the gateway to Alex but when you analyze it when you use algorithms and Define them a little bit you can be able to tell you can be able to create a pattern based on the timing isn't it because if I send it to her penis sends it to Baraza every time I send it to the penny I need to arrive and then penina sends a message to balance you can be able to tell isn't it that's one way now there's another solution which I find a little bit better so the other solution is by now using sending a message using an online API service like affiliate study that's all so what I'll do is that I'll send a message don't quickly so I'll send a post request using the internet traffic is talking and then Africa is talking the command will include for this message they say you have obviously African is talking when you want to send a message to somebody you give the number you give the text isn't it and use the API the username and API key so once I send it to Africa stocking using a post it appears nowhere within the gsm network right and then Africa is talking will send a message to Baraza and then once it or therefore the message reaches Baraza what will happen is that but rather we decrypted using his private key and when he extract the message he'll see that the message was not really from Africa is talking but it was from me the original sender was me but it went through Africa history so the default SMS app will show that the message came from Africa is talking but the app that Baraza is using for security for Security Services we shall not the message came from me this is how it works you will create a message you encrypt it using baraza's private key a properly key you send it using a post request to the cloud API service the API service sends the message to but as a music there Network and that was Baraza receives the message he decides it and gets the message okay now let me show you how they know what the contact exchange works because the fact that we have discussed about how the the messages are sent isn't it but how do you share your contact with each other therefore this is how it works now this is Alice and this is Bob they both have the app and they have the contact this is how you share the contact what will happen is that Alice will send Bob her contact okay and then what's Bob receives a contact Bob will send Alice his contact it's supposed to be deliberate because you're not supposed to no no no you have WhatsApp and then receive a message you've seen those messages isn't it and they irritated but what you say for this app the contact needs to be delivered you need to have that person's contact so that you can be able to communicate so once you've extend the contacts the next step is that now in this at this stage it is no other Exchange Bob and Alice can communicate using each other's public keys for example because it's just 160 characters and if it's more than 60 you'd end up and split it into multiple messages but if it's one message you can come you can communicate using public Keys as well and it and it does work but our next the next level is that Alice can generate a shared private key and initially different vector and then once they generate the initialization vector and the private key they encrypt that message they create a trigger function okay there are two types of messages that these are places there's the noble SMS and it's a trigger function the trigger function is an SMS that tells the app update this contact key of this contract so what will happen is that Alice will generate a shared private key and an initialization Vector then it encrypts it using both public key then are you since the public a daily message to Bob that uh trigger function once Bob receives it Bob will deplete the message using his private key and then extract the message and the message will say up date Alice contact using this information so there will be a private key that has been generated so Bob has received it but that doesn't end the above needs to confirm that he has received that key isn't it so what will happen is that Bob will generate the hash of that key once has generated the hash of that key and the AV both will now send will encrypt that as I will we convert that ID as a message and send that message using an encrypted using Alice public key and send that confirmation to Alice and then once Alice has received that Alice will see that Bob has shared the hash of the key and IV and that should compare with the hash of the keys and I wish he generated okay she generated the height of the key or end of the IV of the contact Bob once is much Alice then uh will send a confirmation to Bob that yes I've received an acknowledgment it's this is something similar to TCP can you say wtcp Works see this is something similar to that and once they sent it the acknowledgment back to others now with the backup at least in terms of what is what wil